Responsible Disclosure: Content Injection flaw in Gett's Website

by @edent | # # # # | Read ~158 times.
A basic form asking for users' credit card details.

Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention…

Continue reading →

Responsible Disclosure: SVG injection in Three.co.uk

by @edent | # # # # # # | 4 comments | Read ~530 times.
The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can…

Continue reading →

Security issues on ArtChain

by @edent | # # # # | 4 comments | Read ~4,501 times.
A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the…

Continue reading →

Minimum Viable XSS

by @edent | # # # | Read ~2,722 times.

Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. *ahem*…

Continue reading →

Responsible Disclosure - XSS Flaw at LetsSaveMoney.com

by @edent | # # # # | Read ~376 times.

Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this…

Continue reading →

Private Eye - Not As Clever As They Think They Are

by @edent | # # # # | 2 comments | Read ~275 times.

Private Eye is the only "Dead Tree" publication I buy. I think its satire misses the mark more often than not - but its investigative journalism and general muck-raking are second to none. The Eye has reluctantly been drawn into the digital age. It has a piss-poor website run by the sort of "tired and…

Continue reading →

Privacy and Security Flaw with CAB

by @edent | # # | Read ~136 times.

The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking. Interesting new digital stuff emerging from @CitizensAdvice http://t.co/zvc0kcoj0A <-- uncomfortable, messy, visceral reality @mikedixonCAB — Tom Loosemore (@tomskitomski) October 21, 2014 who supplies my electricity why do some children become looked after will i…

Continue reading →

The Unsecured State Part 2 - EduBase XSS (Disclosed & Fixed)

by @edent | # # # # | 6 comments | Read ~1,465 times.

This is part 2 of a series of blog posts looking at the security of the UK Government's web infrastructure. Many XSS flaws rely on altering the GET parameters of a request. Some webmasters seem to think that if their forms only use POST they will be immune from the XSS. This is not the…

Continue reading →

The Unsecured State Part 1 - UK Parliament XSS Flaw (Disclosed & Fixed)

by @edent | # # # # | 5 comments | Read ~1,617 times.

This is part 1 of a series of blog posts looking at the security of the UK Government's web infrastructure. The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people.…

Continue reading →

Huffington Post UK XSS Flaw (Disclosed & Fixed)

by @edent | # # # | Read ~128 times.

The UK version of the Huffington Post was vulnerable to an XSS flaw. This allowed any malicious user to inject images, video, text, and JavaScript into the page. Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to…

Continue reading →